search

aws-samples / aws-iot-securetunneling-localproxy

AWS Iot Secure Tunneling local proxy reference C++ implementation
https://docs.aws.amazon.com/iot/latest/developerguide/what-is-secure-tunneling.html
Apache License 2.0
74 stars 71 forks source link

Localproxy working behind network proxy #27

Closed karanberiwal closed 4 years ago

karanberiwal commented 4 years ago

Hi, does this localproxy application work behind a network proxy address and port.If it supports ,can u help me where it should be configured. I am not able to send mqtt behind a network proxy.Without network proxy it is working fine

kareali commented 4 years ago

Hi @karanberiwal , Just to make sure I got this right, You mean HTTP proxy, no? If that's the case, then unfortunately we don't support HTTP proxies but we will have your feature request under consideration.

Thanks, Kareem.

karanberiwal commented 4 years ago

No problem, But can you help me where can the proxy functionality be added in the code so that the code supports working behind network proxy.

kareali commented 4 years ago

Thanks for you interest, @karanberiwal! While I haven't performed further analysis on the implementation, I would be glad to review a PR for this!

The problem, in a nutshell, is that the localproxy tries to connect directly to our endpoint on the cloud and upgrade that to a websocket connection. This doesn't work with an HTTP proxy between them because it intercepts every request which causes the upgrade process to fail.

For the local proxy to work behind an HTTP proxy, you would need to provide the HTTP proxy endpoint as an input to the localproxy and before the localproxy connects to the cloud endpoint, it will first establish a permanent connection with the HTTP proxy. This is done using CONNECT method. By connecting to the HTTP proxy with CONNECT method with something like that

CONNECT echo.websocket.org:80 HTTP/1.1
Host: echo.websocket.org
Proxy-Connection: keep-alive
Connection: keep-alive

And replacing the echo.websocket.org:80 with the cloud endpoint of the tunneling service. Once this is handled by the HTTP proxy, it will allow the client (the localproxy in this case) to tunnel a connection through the HTTP proxy to the cloud endpoint. Once the CONNECT request between the localproxy and the HTTP proxy is complete, nothing else would need change since from the point forward, the HTTP proxy will blindly forward TCP packets.

https://tools.ietf.org/html/rfc7231#section-4.3.6